What Are Sandwich Attacks & How Can You Protect Yourself?
Sandwich attacks might sound yummy but they can leave a bad taste in your mouth if you become a victim.
While the DeFi market offers a plethora of exciting opportunities, it remains susceptible to attacks that try to take advantage of the smart contract-built nature of DeFi applications.
The so-called “sandwich attack” is one such attack.
In this guide, we take a look at what a sandwich attack is, how it works, and how you mitigate the risk of falling victim to one.
What is a Sandwich Attack?
In a nutshell, a sandwich attack involves “sandwiching” a user’s transactions in between two transactions. These two transactions are before and after the users transaction (hence the name sandwich), generating a loss for the user and a gain for the attacker. Sandwich attacks typically take place on decentralized exchanges (DEXs) and result in price manipulation.
In a sandwich attack, a bad actor will look for a pending transaction by another user on a blockchain network of their choice. The predatory trader will then place one trade order just before the victim’s pending transaction (front-running) and another trade order just after it (back-running). The victim’s pending transaction will be sandwiched between the two new trade orders created by the attacker. If the attack is successful, the attacker will create an artificial price increase and generate a profit.
Sandwich attacks are partly possible because of transaction transparency in the mempool but also because DEXs allow price slippage during trades.
Price slippage refers to the difference between the expected price of a trade and the actual trade execution price. DEXs usually allow for 1% slippage but in trading pools with lower liquidity, slippage can go up to 3% or higher.
Now, let’s look at an example.
First, the attacker will buy an asset the victim is trying to swap. For example, using WBTC to exchange to ETH. At the point of buying the asset, the attacker already knows that the price of ETH is increasing. They will proceed to buy ETH at a lower price so that the victim ends up buying it at a higher price. The attacker stands to gain as they end up selling the ETH they bought at a lower price, at a higher price immediately after.
In this scenario, the predator trader will create an artificial price increase in ETH, resulting in an increased price of ETH and — if successful — a profit for themselves.
Not So Yummy! How Sandwich Attacks Work
Sandwich attacks can be executed with relative ease because of the transparent nature of the blockchain, price slippage on DEXs, and the low latency when it comes to executing orders on slower chains, like Ethereum.
All transactions carried out on the blockchain can be observed in the mempool. Moreover, many DeFi smart contracts don’t contain functions that prevent such attacks.
The first step in a sandwich attack is a bot that will sniff out target DEX transactions. Usually, the bot will look for trade transactions that have a low gas price as well as liquidity pool transactions that allow LP providers to claim the reward and convert them to the stipulated tokens. Most sandwich attacks are carried out on automated market makers (AMMs), such as Uniswap and SushiSwap.
An AMM is a protocol that allows decentralized exchanges to carry out trades automatically and without permission by utilizing liquidity pools instead of traditional centrally-managed order books.
AMMs guarantee that trades will be executed continuously through their pricing algorithm. This aspect of the AMM is what makes carrying out a sandwich attack on a decentralized exchange possible because once a bot or an attacker sniff out the transaction, they are able to then front-run and back-run a standard trade transaction at the same time, while the original transaction still goes through because AMM transactions allow for price slippage.
Are Sandwich Attacks Profitable?
While carrying out a sandwich attack may seem easy for crypto-savvy attacks, you may ask: are sandwich attacks profitable? And are they worth it?
Proftible? *Yes, they can be. *
Worth it? *Probably not. *
Sandwich attacks are not as profitable as you may think.
The cost of carrying out a sandwich attack often outweighs whatever profits the attacker makes. For example, most DEXs take a percentage fee from every trade made on the platform. What that means for an attacker is that they’ll incur a transaction fee for both front-running and back-running a normal trade. Additionally, Ethereum and several DeFi chains charge quite high gas fees, adding to the cost of such as attack.
Sandwich attacks can, however, still be profitable especially if the commission earned and the transaction cost for carrying out the sandwich attack is lower than the victim’s trading amount.
How to Protect Yourself
Currently, it isn’t really possible for investors to protect themselves against sandwich attacks.
Until decentralized trading platforms deploy smart contracts that prevent such attacks, DeFi users will have to accept that the risk of having their decentralized trading transactions sandwiched remains.
However, that is not to say that there aren’t strides being made to change that.
Numerous protocols are working to integrate technologies, such as ZK-Snarks, that aid in masking or encrypting trade information so that bots and attackers can’t identify target trades. 1inch, for example, now offers “flashbot transactions” that are not visible in the mempool.
Considering DeFi is still in its infancy, other solutions to prevent such attacks will likely be found in the future. How long that will take remains to be seen.